Skip to main content
Log in

BotSpot: fast graph based identification of structured P2P bots

  • Original Paper
  • Published:
Journal of Computer Virology and Hacking Techniques Aims and scope Submit manuscript


An essential component of a botnet is the Command and Control (C2) channel (a network). The mechanics of C2 establishment often involve the use of structured overlay techniques which create a scaffolding for sophisticated coordinated activities. However, it can also be used as a point of detection because of their distinct communication patterns. Achieving this is a needle-in-a-haystack search problem across distributed vantage points. The search technique must be efficient given the high traffic throughput of modern core routers. In this paper, we focus on efficient algorithms for C2 channel detection. Experimental results on real Internet traffic traces from an ISP’s backbone network indicate that our techniques, (i) have time complexity linear in the volume of traffic, (ii) have high F-measure, and (iii) are robust to the partial visibility arising from partial deployment of monitoring systems, and measurement inaccuracies arising from partial visibility and dynamics of background traffic.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Subscribe and save

Springer+ Basic
EUR 32.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or Ebook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7

Similar content being viewed by others


  1. Abu Rajab, M., Zarfoss, J., Monrose, F., Terzis, A.: A multifaceted approach to understanding the botnet phenomenon. In: MC ’06 Proceedings of the 6th ACM SIGCOMM on Internet Measurement, pp. 41–52. New York, New York, USA, Oct. 2006. ACM Press. ISBN 1595935614. doi:10.1145/1177080.1177086.

  2. Antonakakis, M., Perdisci, R., Nadji, Y., Vasiloglou II N., Abu-Nimeh, S., Lee, W., Dagon, D.: From throw-away traffic to bots: detecting the rise of dga-based malware. In: USENIX Security Symposium, pp. 491–506. (2012)

  3. Barabási, A.-L., Albert, R.: Emergence of scaling in random networks. Science 286(5439), 509–512 (1999)

    Article  MathSciNet  MATH  Google Scholar 

  4. Binkley, J.R., Singh, S.: An algorithm for anomaly-based botnet detection. In: Proceedings of USENIX Steps to Reducing Unwanted Traffic on the Internet Workshop (SRUTI), pp. 43–48 (2006)

  5. Biryukov, A., Pustogarov, I., Weinmann, R.: Trawling for tor hidden services: Detection, measurement, deanonymization. In: 2013 IEEE Symposium on Security and Privacy (SP), pp. 80–94. IEEE (2013)

  6. Blondel, V.D., Guillaume, J.-L., Lambiotte, R., Lefebvre, E.: Fast unfolding of communities in large networks. J. Stat. Mech. Theory Exp. 2008(10):6 (2008). ISSN 1742-5468. doi:10.1088/1742-5468/2008/10/P10008.

  7. Browet, A., Absil, P.-A., Van Dooren, P.: Fast community detection using local neighbourhood search (2013). arXiv preprint. arXiv:1308.6276

  8. Choi, H., Lee, H., Kim, H.: Botgad: detecting botnets by capturing group activities in network traffic. In: Proceedings of the Fourth International ICST Conference on COMmunication System softWAre and middlewaRE, pp. 2–10. ACM (2009)

  9. Collins, M.P., Reiter, M.K.: Hit-list worm detection and bot identification in large networks using protocol graphs. In: RAID’07 Proceedings of the 10th International Conference on Recent Advances in Intrusion Detection, pp. 276–295. (2007). ISBN 3-540-74319-7, 978-3-540-74319-4.

  10. Cooke, E., Jahanian, F., McPherson, D.: The Zombie roundup: understanding, detecting, and disrupting botnets. In: SRUTI’05 Proceedings of the Steps to Reducing Unwanted Traffic on the Internet on Steps to Reducing Unwanted Traffic on the Internet Workshop, pp. 6–12 (2005).

  11. Coscia, M., Giannotti, F., Pedreschi, D.: A classification for community discovery methods in complex networks. Stat. Anal. Data Min. ASA Data Sci. J. 4(5), 512–546 (2011)

    Article  MathSciNet  Google Scholar 

  12. Coskun, B., Dietrich, S., Memon, N.: Friends of an enemy. In: ACSAC ’10 Proceedings of the 26th Annual Computer Security Applications Annual Conference, pp. 131–140, New York, New York, USA, Dec. 2010. ACM Press. ISBN 9781450301336. doi:10.1145/1920261.1920283.

  13. Dagon, D., Gu, G., Lee, C.P., Lee, W.: A taxonomy of botnet structures. In: ACSAC ’07 Proceedings of the 23rd Annual Computer Security Applications Annual Conference, pp. 325–339. IEEE, Dec. 2007. ISBN 0-7695-3060-5. doi:10.1109/ACSAC.2007.44.

  14. Davis, C.R., Neville, S., Fernandez, J.M., Robert, J.-M., Mchugh, J.: Structured peer-to-peer overlay networks: ideal botnets command and control infrastructures? In: Jajodia, S., Lopez, J. (eds.) ESORICS ’08 Proceedings of the 13th European Symposium on Research in Computer Security: Computer Security. Lecture Notes in Computer Science, vol. 5283, pp. 461–480, Berlin, Heidelberg, Oct. 2008. Springer, Berlin. ISBN 978-3-540-88312-8. doi:10.1007/978-3-540-88313-5.

  15. Erdos, P., Rényi, A.: On the evolution of random graphs. Publ. Math. Inst. Hung. Acad. Sci. 5, 17–61 (1960)

    MathSciNet  MATH  Google Scholar 

  16. Fortunato, S.: Community detection in graphs. Phys. Rep. 486(3–5), 75–174, (2010). ISSN 03701573. doi:10.1016/j.physrep.2009.11.002.

  17. François, J., Wang, S., State, R., Engel, T.: BotTrack: tracking botnets using NetFlow and PageRank. In: NETWORKING ’11 Proceedings of the 10th International IFIP TC 6 Conference on Networking, pp. 1–14, May 2011. ISBN 978-3-642-20756-3. doi:10.1007/978-3-642-20757-0_1.

  18. Freiling, F.C., Holz, T., Wicherski, G.: Botnet tracking: exploring a root-cause methodology to prevent distributed denial-of-service attacks. In: Vimercati, S.D.C., Syverson, P., Gollmann, D. (eds.) ESORICS’05 Proceedings of the 10th European Conference on Research in Computer Security. Lecture Notes in Computer Science, vol. 3679, pp. 319–335. Berlin, Heidelberg, Sept. 2005. Springer, Berlin. ISBN 978-3-540-28963-0. doi:10.1007/11555827.

  19. Gardiner, J., Cova, M., Nagaraja, S.: Command & control: understanding, denying and detecting (2014). arXiv preprint. arXiv:1408.1136

  20. Golovanov, S., Soumenkov, I.: TDL4-Top Bot (2011).

  21. Gu, G., Porras, P., Yegneswaran, V., Fong, M., Lee, W.: BotHunter: detecting malware infection through IDS-driven dialog correlation. In: USENIX Security ’07 Proceedings of the 16th USENIX Security Symposium, pp. 1–16. Aug. 2007. ISBN 111-333-5555-77-9.

  22. Gu, G., Perdisci, R., Zhang, J., Lee, W.: BotMiner: clustering analysis of network traffic for protocol- and structure-independent botnet detection. In: USENIX Security ’08 Proceedings of the 17th USENIX Security Symposium, pp. 139–154, July 2008.

  23. Gu, G., Zhang, J., Lee, W.: BotSniffer: Detecting botnet command and control channels in network traffic. In: NDSS ’08 Proceedings of the 15th Annual Network and Distributed System Security Symposium, pp. 1–18. Citeseer (2008).

  24. Hang, H., Wei, X., Faloutsos, M., Eliassi-Rad, T.: Entelecheia: detecting p2p botnets in their waiting stage. In: IFIP Networking Conference, 2013, pp. 1–9. IEEE (2013)

  25. Iliofotou, M., Kim, H.-C., Faloutsos, M., Mitzenmacher, M., Pappu, P., Varghese, G.: Graption: a graph-based P2P traffic classification framework for the internet backbone. Comput. Netw. 55(8):1909–1920 (2011). ISSN 13891286. doi:10.1016/j.comnet.2011.01.020.

  26. Jaikumar, P., Kak, A.C.: A graph-theoretic framework for isolating botnets in a network. Secur. Commun. Netw. (2012). ISSN 19390114. doi:10.1002/sec.500.

  27. Jiang, H., Shao, X.: Detecting P2P botnets by discovering flow dependency in C&C traffic. Peer-to-Peer Netw. Appl. (2012). ISSN 1936-6442. doi:10.1007/s12083-012-0150-x.

  28. Kaashoek, M.F., Karger, D.R.: Koorde: a simple degree-optimal distributed hash table. In: Peer-to-Peer Systems II, pp. 98–107. Springer, Berlin (2003)

  29. Li, L., Mathur, S., Coskun, B.: Gangs of the internet: towards automatic discovery of peer-to-peer communities. In: 2013 IEEE Conference on Communications and Network Security (CNS), pp. 64–72. IEEE (2013)

  30. Lu, W., Tavallaee, M., Ghorbani, A.A.: Automatic discovery of botnet communities on large-scale communication networks. In: ASIACCS ’09 Proceedings of the 4th International Symposium on Information, Computer, and Communications Security, pp. 1–10, New York, New York, USA, Mar. 2009. ACM Press. ISBN 9781605583945. doi:10.1145/1533057.1533062.

  31. Maymounkov, P., Mazieres, D.: Kademlia: a peer-to-peer information system based on the xor metric. In: Peer-to-Peer Systems, pp. 53–65. Springer, Berlin (2002)

  32. Nagaraja, S., Mittal, P., Hong, C.-Y., Caesar, M., Borisov, N.: BotGrep: finding P2P bots with structured graph analysis. In: USENIX Security’10 Proceedings of the 19th USENIX Security Symposium, p. 7, Aug. 2010. ISBN 888-7-6666-5555-4. doi:

  33. Nelms, T., Perdisci, R., Ahamad, M.: Execscent: mining for new c&c domains in live networks with adaptive control protocol templates. In: USENIX Security, pp. 589–604 (2013)

  34. Newman, M.E.: Modularity and community structure in networks. Proc. Natl. Acad. Sci. 103(23), 8577–8582 (2006)

    Article  Google Scholar 

  35. Rahbarinia, B., Perdisci, R., Lanzi, A., Li, K.: Peerrush: mining for unwanted p2p traffic. J. Inf. Secur. Appl. 19(3), 194–208 (2014)

    Google Scholar 

  36. Rossow, C., Andriesse, D., Werner, T., Stone-Gross, B., Plohmann, D., Dietrich, C.J., Bos, H.: Sok: P2pwned-modeling and evaluating the resilience of peer-to-peer botnets. In: 2013 IEEE Symposium on Security and Privacy (SP), pp. 97–111. IEEE (2013)

  37. Schaeffer, S.E.: Graph clustering. Comput. Sci. Rev. 1(1), 27–64 (2007). ISSN 15740137. doi:10.1016/j.cosrev.2007.05.001.

  38. Schiavoni, S., Maggi, F., Cavallaro, L., Zanero, S.: Phoenix: Dga-based botnet tracking and intelligence. In: Detection of Intrusions and Malware, and Vulnerability Assessment, pp. 192–211. Springer, Berlin (2014)

  39. Schonewille, A., van Helmond, D.-J.: The domain name service as an IDS. Research Project for the Master System-and Network Engineering at the University of Amsterdam (2006)

  40. Silva, S.S., Silva, R.M., Pinto, R.C., Salles, R.M.: Botnets: a survey. Comput. Netw. (2012). ISSN 13891286. doi:10.1016/j.comnet.2012.07.021.

  41. Stinson, E., Mitchell, J.C.: Towards systematic evaluation of the evadability of bot/botnet detection methods. In: WOOT’08 Proceedings of the 2nd Conference on USENIX Workshop on Offensive Technologies, pp. 1–9, July 2008.

  42. Stoica, I., Morris, R., Karger, D., Kaashoek, M.F., Balakrishnan, H.: Chord: a scalable peer-to-peer lookup service for internet applications. In: ACM SIGCOMM Computer Communication Review, vol. 31, pp. 149–160. ACM (2001)

  43. Strayer, W., Walsh, R., Livadas, C., Lapsley, D.: Detecting Botnets with Tight Command and Control. In: Proceedings. 2006 31st IEEE Conference on Local Computer Networks, pp. 195–202. IEEE, Nov. 2006. ISBN 1-4244-0418-5. doi:10.1109/LCN.2006.322100.

  44. van Laarhoven, T., Marchiori, E.: Graph clustering with local search optimization: the resolution bias of the objective function matters most. Phys. Rev. E Stat. Nonlinear Soft Matter Phys. 87(1), 012812 (2013). ISSN 1550-2376.

  45. Walsworth, C., Aben, E., Claffy, K., Andersen, D.: The CAIDA UCSD anonymized internet traces (2011). Accessed 8 Mar 2015

  46. Yen, T.-F., Reiter, M.K.: Are your hosts trading or plotting? Telling P2P file-sharing and bots apart. In: ICDCS ’10 IEEE 30th International Conference on Distributed Computing Systems, pp. 241–252. IEEE, June 2010. ISBN 978-1-4244-7261-1. doi:10.1109/ICDCS.2010.76.

  47. Yen, T.-F., Reiter, M.K.: Revisiting botnet models and their implications for takedown strategies. In: Degano, P., Guttman, J.D. (eds.) POST’12 Proceedings of the First International Conference on Principles of Security and Trust. Lecture Notes in Computer Science, vol. 7215, pp. 249–268. Berlin, Heidelberg, Mar. 2012. Springer, Berlin. ISBN 978-3-642-28640-7. doi:10.1007/978-3-642-28641-4.

  48. Zhang, J., Perdisci, R., Lee, W., Sarfraz, U., Luo, X.: Detecting stealthy P2P botnets using statistical traffic fingerprints. In: 2011 IEEE/IFIP 41st International Conference on Dependable Systems and Networks (DSN), pp. 121–132. IEEE, June 2011. ISBN 978-1-4244-9232-9. doi:10.1109/DSN.2011.5958212.

  49. Zhang, J., Perdisci, R., Lee, W., Luo, X., Sarfraz, U.: Building a scalable system for stealthy p2p-botnet detection. IEEE Trans. Inf. Forensics Secur. 9(1), 27–38 (2014)

    Article  Google Scholar 

Download references

Author information

Authors and Affiliations


Corresponding author

Correspondence to N. Balakrishnan.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Venkatesh, B., Choudhury, S.H., Nagaraja, S. et al. BotSpot: fast graph based identification of structured P2P bots. J Comput Virol Hack Tech 11, 247–261 (2015).

Download citation

  • Received:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: